LinkedIn Messenger Flaws Enabled Attackers to Spread Malicious Files

Bad actors commonly abuse LinkedIn to launch digital attacks. With over 500 million members spread across 200 countries, the professional networking site contains crucial information that nefarious individuals can use to attack nearly any organization and its corporate data. They just need to establish an initial foothold in the company. Most of the time, this preliminary attack takes the form of a scam or other social engineering ploy by which miscreants seek to steal access to an employee's LinkedIn account. But that's not always the case. LinkedIn is also home to black hat hackers who exploit software vulnerabilities as a means of exposing users to digital threats. In fact, the social networking site recently plugged four security flaws affecting its messenger system that attackers could have used to infect unsuspecting users with malware.

Masquerade! Disguised Files on Parade

On June 14, 2017, LinkedIn learned of four weaknesses that enabled attackers to distribute malware to members. The vulnerabilities all pertained to the social media platform's messenger service, which for security reasons restricts the types of files members can attach to an internal message. The approved file types consist of the following file extensions: csv, doc, docx, gif, jpeg, jpg, pdf, png, ppt, pptx, txt, xls, and xlsx. LinkedIn's security restrictions automatically block all other files that don't fit those formats. But that wasn't entirely the case with these security issues. Check Point researchers Eran Vaknin, Dvir Atias, Alon Boxiner elaborate:

"… [I]n a recent trial conducted by Check Point researchers, it was discovered that attackers could bypass the security restrictions and attach a malicious file to the LinkedIn messaging service. To do this, an attacker could have uploaded a normal-looking file that passes LinkedIn’s security checks; however the file is only masquerading as a legitimate file, in reality, it is a form of malware that contains malicious content, able to infect the recipient’s network."

Under the first vulnerability, an attacker could have crafted a malicious PowerShell script and saved it as a PDF file before uploading it to LinkedIn's content delivery network (CDN) server. They could then have sent the PDF to a target, who upon opening the attached file would have suffered an infection. Similarly, an attacker could have exploited the second flaw to create a malicious PowerShell script stored inside a registry file and saved it as a PDF file. Infection, in this instance, would have yielded control of the victim's machine to the bad actor. That's not all. Using the third flaw, an attacker could have embedded a malicious macro inside of a fake xlsx file that ran a scrambled VB script shell code upon execution. Finally, they could have created a docx with an HTA file as an external object under the fourth vulnerability. Once a user opened the attachment, WINWORD would have automatically downloaded and executed the HTA file, thereby producing an infection. You can watch a demo of the final security issue in action below. https://youtu.be/IdOjGZArPkc LinkedIn patched the vulnerabilities within 10 days of learning about them from Check Point's researchers. Still, that's not to say black hat hackers won't find other ways to deliver malware onto unsuspecting users on the social networking site. As a result, it's important that LinkedIn users follow security best practices by not clicking on suspicious attachments. If someone they know sends them an unexpected attachment, they should confirm outside of LinkedIn that the individual intended to send them the file. They should also install a reputable anti-virus solution onto their computer. Such software can't detect all digital threats, but they can certainly help.